Reporting

Specops Password Policy provides a way to view reports on the periodic scanning it performs. In addition, Specops Password Policy users can schedule periodic reports generated from SPA.

Viewing Periodic Scanning reports


In the Domain Administration Tool you can view a summary of the last Periodic Scanning, or any previous reports.

  1. In the Domain Administration Tool, go to Periodic Scanning.
  2. Use the Report Date dropdown to view the results of previous Periodic Scans.

You can configure how many reports are saved in the Settings section. For more information, please refer to the Domain Administration Tool page.

Automating and scheduling reports


There are two different types of reports: periodic scanning reports, which are generated by default, and PDF reports, which can be generated by admins.

  • Periodic scanning reports: By default the periodic scanning in the Specops Password Policy Sentinel Service runs every night on the PDC emulator. During the periodic scanning, actions are taken to for instance expire passwords and handle breached passwords. Specops Password Policy Sentinel saves information from the periodic scanning. The Domain Administration Tool can show this information, but it is also possible to get the information using Windows PowerShell 5.1 CmdLets if automation is preferred.
  • PDF reports: Specops Password Auditor is basically a tool for generating PDF reports listing risks around password policies and user accounts in Active Directory. Apart from manually generating reports in Specops Password Auditor, Specops Password Policy users can generate (scheduled) reports using a Windows PowerShell 5.1 CmdLet.

Periodic Scanning reports vs Password Auditor PDF reports

There is a fundamental difference between Periodic Scanning reports and reports generated through Specops Password Auditor. Reports generated from the periodic scanning in Specops Password Policy contain information about actions performed on users in the periodic scan, such as passwords found to be breached. It is the result of a periodic scan performed previously at a certain time. Reports generated from Specops Password Auditor, on the other hand, contain a different information set, related to risks around users and password policies. It is a snapshot of information gathered, but no actions have been performed on users.

Periodic Scanning reports

The SPP admin tool PowerShell module contains the following cmdlets related to periodic scanning:

  • Get-SppPeriodicScanningResultList: lists the available periodic scanning results from the domain controller.
  • Get-SppPeriodicScanningResult: returns summary information of the latest periodic scanning, or, if specified, a specific user counting id. No user information is provided in this result set.
  • Get-SppPeriodicScanningResultUsers: returns information of the users from the latest periodic scanning, or if specified, a specific user counting id.

Note that the above cmdlets return information from a periodic scan that has been performed, but do not start a new periodic scan.

Specops Password Auditor PDF reports

The SPP admin tool PowerShell module contains the following cmdlet related to Password Auditor PDF reporting:

  • New-SpaReport: scans information from Active Directory and generates a PDF report. It is recommended to carefully consider how often and when to run this command, as it causes load on the domain controller.

With this command it is for instance possible to generate a report that can be sent as e-mail to a CISO to provide a weekly status.

While the SPA tool scans for users with breached passwords found in the Express list, those reports are not part of the PDF generated from the cmdlet. If information about users with breached passwords are of interest, it is recommended to use the Get-SppPeriodicScanningResultUsers cmdlet. Note that this does not generate a Specops Password Auditor PDF report, but a Periodic Scanning report in Specops Password Policy.

Scheduling reports from Specops Password Auditor

Using the cmdlet above and Windows task scheduler it is possible to schedule report generation.

Below is an example script of a generated PDF report sent as an email to the organization's CISO.

  1. Create a script file named reporting.ps1. For this example the file is saved here: C:\pdf_reports\scripts\reporting.ps1
  2. Include the following code in the script file:
    Copy
    $out_folder = 'C:\pdf_reports\out' 
    $pdf_report_path = New-SpaReport -OutputDirectory $out_folder -Verbose 4> $out_folder\log.txt
    Send-MailMessage -Subject 'SPA report' -To 'ciso@acme.org' -From 'automated-reporting@acme.org' -SmtpServer 'smtp.acme.org' -Port 587 -Attachments $pdf_report_path

    Make sure to set your preferred output path for $out_folder, and to input the correct email parameters for your setup.

    NOTE
    It is recommended to run this on a server that is not a domain controller.
  3. Create a scheduled task in Windows task scheduler.
    1. Select Action > Create Basic Task
    2. Give it a name.
    3. In the Trigger section, set your preferred interval.
    4. In the Action section, select Start a Program:
      • Program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      • Add argument: C:\pdf_reports\scripts\reporting.ps1

Since some of the reports contain password-related information, domain administrative permission is required. It is recommended to run the scheduled task as a domain admin account dedicated for this purpose.